Stores simple states in exe

[Kwai chang caine]

It's apparently a "super BATCH DOS", with much more powerfull functions, surely in rapport with the new function powershell of windows

Too much funny this KCC



After read what is a ShellCode, it's not the first come, who can use this
And i don't think a beginer have enough information in this thread for do something of bad...i have nothing understand
Only a good understanding of ASM and EXE structure, can help for use this method
So thanks when even, for have learning something to me, master MIJIKAI

[walbus]

It's simple.
To solve a problem you are looking for the simplest and most efficient solution.

It is of course possible to make everything complicated and laborious.

Offering you an assembler solution if you code in PB and probably never use assembler yourself is not very helpful.
From a practical point of view it is even nonsense, sorry.

It's not helpful if I want to show you what I can do great.
It's helpful if I show you what you can do yourself.

It's always a considerable advantage when solutions are manageable and simple

[Kwai chang caine]

Yes you have right, why do something complicated, when a simple solution exist ?

But don't forget my question is without create another EXE, can store one bit or better if it's possible ?
The majority of solution give to me by all the kind members is when even create another file, etc ....

My two solution respect the demand, i can store in the constant, or change the casse name of the exe, without recreate something, "like if" it's an ACCESS file, yes or no ?
The solution of FIRACE respect apparently also the demand, but some problems exists, when there is a copy, etc ..

Before, in another program of me, i have using the create another file solution, and sometime the temp file have not the time to be deleted, or other problems, in fact sometime that works on one machine and not on another, often a problem of timing
And again a time, even if you have the perfect solution, create file, patching, delete, etc for just one bit...

And for finish, the ASM is the base of PB, it's not because FRED have the kindness and intelligence to hide it a maximum, than the ASM is not the heart of PB.
It's the reason why FRED give the possibility to programming also good in PB than is ASM without problem.
So..an ASM solution, is a PB solution...It's that the power of PB, even if KCC understand nothing to the hieroglyph

Then i was wrong, ASM can modify an EXE...too strong this ASM....when all is impossible and lost, like the FOX ..the ASM is always here for save the poor and oppressed
AZM it's surely a better name for it



Nothing can stop ASM....
I love it

[Mijikai]

It might look complicated but it is not at all.
Its basically just this in asm (ignore the openfile instead of createfile):

Hastly coded:

Code: Select all

Procedure.i Patch(Target.s,Offset.i,*Buffer,BufferSize.i)
  Protected Handle.i
  Protected OF.OFSTRUCT
  Protected Bytes.i
  Protected Result.i
  Protected *FileName
  *FileName = Ascii(Target)
  If *FileName
    Handle = OpenFile_(*FileName,@OF,#OF_WRITE)
    If Not Handle = #INVALID_HANDLE_VALUE
      If Not SetFilePointer_(Handle,Offset,#Null,#FILE_BEGIN) = #INVALID_SET_FILE_POINTER
        Result = WriteFile_(Handle,*Buffer,BufferSize,@Bytes,#Null)
      EndIf
      CloseHandle_(Handle)
    EndIf
    FreeMemory(*FileName)
  EndIf
  ProcedureReturn Result
EndProcedure

The only reason why we need this as shellcode is due the fact we need to outsource this function.
As it would not work while our application is running.

This is pretty much straightforward.
It boils down to less than 100 lines of code (shellcode included).

[walbus]

See, the real Kung Fu KCC would say: Don't search for resistance in combat, go the easiest way, try to end the fight as soon as possible.
A real KungFu fight lasts about 3 seconds, no more.....
Think simple !

[Kwai chang caine]

@MIJIKAI
Aaaah ok !!!!
In fact, it's the same method than create another EXE who patch the first, but all in memory, it's splendid

@WALBUS
if I had followed this advice, 15 years ago, I would not be here today to break your feet

[CELTIC88]

just for fun

you need to inject the shell in remote process exemple explorer.exe

Code: Select all

DataSection
  shellcode:
  Data.q $68C5890000006AE8, $8D0455FF000003E8, $6800000000681C55, $36800000000, $68000000006800, $4000000068000000, $74FFF8830055FF52, $68000000006850CE, $501475FF00000000, $558D24048B0855FF, $68240C8D5118, $468510000, $48B590C55FF5052, $8BC3581055FF5024, $C371C0832404,0,0,0
  Data.w 0
  sellend:
EndDataSection

Structure Shelldata
  __WinAPI_CreateFileA.l
  __WinAPI_Sleep.l
  __WinAPI_SetFilePointer.l
  __WinAPI_WriteFile.l
  __WinAPI_CloseHandle.l
  __OffsetFile.l
  __NumberToWrite.l
EndStructure

pathoffile.s = "C:\test.exe"; path of your exe here
sizeshell = ?sellend-?shellcode
*pshell  = AllocateMemory(sizeshell + StringByteLength(pathoffile,#PB_Ascii) + 2)
CopyMemory(?shellcode,*pshell, sizeshell)
PokeS(*pshell+ sizeshell, pathoffile,-1,#PB_Ascii)
*pShelldata.Shelldata =*pshell +  sizeshell - SizeOf(Shelldata)
OpenLibrary(0,"kernel32")
With *pShelldata
  \__WinAPI_CreateFileA = GetFunction(0,"CreateFileA")
  \__WinAPI_Sleep = GetFunction(0,"Sleep")
  \__WinAPI_SetFilePointer = GetFunction(0,"SetFilePointer")
  \__WinAPI_WriteFile = GetFunction(0,"WriteFile")
  \__WinAPI_CloseHandle = GetFunction(0,"CloseHandle")
  \__OffsetFile = 0 
  \__NumberToWrite = $ffffffff
EndWith


Debug CallFunctionFast(*pshell)

source of shellcode :
!compile with fasm

Code: Select all

use32

;Just a example to make a shell-code with fasm


  __WinAPI_CreateFileA    equ ebp + 0
  __WinAPI_Sleep          equ ebp + 4
  __WinAPI_SetFilePointer equ ebp + 8
  __WinAPI_WriteFile      equ ebp + 12
  __WinAPI_CloseHandle    equ ebp + 16
  
  __OffsetFile            equ ebp + 20
  __NumberToWrite         equ ebp + 24
  __FileName              equ ebp + 28
  
  CALL .GetbaseAdress ;Get shell-code memory address
  MOV ebp, eax
  
  .looooop:
  PUSH dword 1000
  CALL dword [__WinAPI_Sleep] ; sleep(1000); //
  
  LEA edx,   [__FileName]
  
  PUSH dword 0
  PUSH dword 0
  PUSH dword 3
  PUSH dword 0
  PUSH dword 0
  PUSH dword 1073741824
  PUSH edx  
  CALL dword [__WinAPI_CreateFileA] ; CreateFileA(__FileName,1073741824,0,0,3,0,0);
  CMP eax, -1 ;if hfile != -1 {Break};
  JE .looooop
  
  PUSH eax ; save hfile in stack
  
  PUSH dword 0
  PUSH dword 0
  PUSH dword [__OffsetFile]
  PUSH eax
  CALL dword [__WinAPI_SetFilePointer];SetFilePointer(hfile,__OffsetFile,0,0) ;
  
  MOV eax, [esp]
  LEA edx,dword [__NumberToWrite] ; Get address of number &__NumberToWrite
  PUSH ecx
  LEA ecx, [esp]
  
  PUSH dword 0
  PUSH ecx
  PUSH dword 4
  PUSH edx
  PUSH eax  
  CALL dword [__WinAPI_WriteFile];WriteFile(hfile,&__NumberToWrite,4,&nbwritten,0);
  POP ecx
  
  MOV eax, [esp]
  PUSH eax  
  CALL dword [__WinAPI_CloseHandle];CloseHandle(hfile)
  POP eax
  RET ; end
  
  .GetbaseAdress:
  MOV eax, [esp]
  add eax, ._Data - 5 ;5 <== size of call+address
  RET

  ._Data:
  ;dd == > 4 byte
  
  dd 0 ;Address of CreateFileA API 
  dd 0 ;Address of Sleep API
  dd 0 ;Address of SetFilePointer API
  dd 0 ;Address of WriteFile API
  dd 0 ;Address of CloseHandle API
  
  dd 0 ;Offset of file to write in
  dd 0 ;number to be written
  ;full path of file ;ex : db "c:\test.exe", 0

X64

Code: Select all

use64

  __WINAPI_CreateFileA    equ rbp + 0
  __WINAPI_Sleep          equ rbp + 8
  __WINAPI_SetFilePointer equ rbp + 16
  __WINAPI_WriteFile      equ rbp + 24
  __WINAPI_CloseHandle    equ rbp + 32
  
  __OffsetFile     equ rbp + 40
  __NumberToWrite  equ rbp + 48
  __FileName       equ rbp + 56
  
  __Param5         equ rsp + 32
  __Param6         equ rsp + 40
  __Param7         equ rsp + 48
  
  __hfile          equ rsp + 56
  
  __StackSize      =   56 + 8 + 8 ;+8/ 16

  SUB rsp, __StackSize
  
  CALL .GetbaseAdress
  MOV rbp, rax
  
  .looooop:
  MOV rcx, Qword 500
  CALL Qword [__WINAPI_Sleep]
  
  MOV Qword [__Param7],  0
  MOV Qword [__Param6],  0
  MOV Qword [__Param5],  3
  XOR r9, r9
  XOR r8, r8
  MOV rdx, Qword 1073741824
  LEA rcx,   [__FileName]
  CALL Qword [__WINAPI_CreateFileA]
  CMP rax, -1
  JE .looooop
  
  MOV Qword [__hfile],  rax
  
  XOR r9, r9
  XOR r8, r8
  MOV rdx, Qword [__OffsetFile]
  MOV rcx, Qword [__hfile]
  CALL Qword [__WINAPI_SetFilePointer]
  
  MOV Qword [__Param5],  0
  LEA r9, [__Param6]
  MOV r8, Qword 8
  LEA rdx,Qword [__NumberToWrite]
  MOV rcx, Qword [__hfile]
  CALL Qword [__WINAPI_WriteFile]
  
  MOV rcx, Qword [__hfile]
  CALL Qword [__WINAPI_CloseHandle]
  
  ADD rsp,__StackSize
  RET
  
  .GetbaseAdress:
  MOV rax, [rsp]
  ADD rax, ._Data -9
  RET
  ._Data:

[Mijikai]

just for fun

you need to inject the shell in remote process exemple explorer.exe
...

Looks good
now we have both x64 & x86
(they work slightly different thought)

[RSBasic]

Looks good too.

[Kwai chang caine]

Thanks a lot master CELTIC88
You always surprising me
How you can understand all of this, alone, without have learning it in school, just reading

Excuse me to be so stupid, that works with everybody and not for me, like usually
Is it like this i must use your splendid code ?

I have create an exe "D:\Test.exe" with this code

Code: Select all

MessageRequester("Kcc", "hello")

After i have run your code, i have "372" in debug

And when i run the "D:\Test.exe", i have
"Le fichier est endommagé et illisible"

Perhaps because i'm in W10 X64 ?

[Mijikai]

In his example it will patch $ffffffff at offset $0 which will corrupt the test.exe.

[Kwai chang caine]

It's the normal behaviour then ??

[Mijikai]

It's the normal behaviour then ??

Yes

I coded some cleaner test-function for CELTIC88s version mby it helps:

Code: Select all

Import "kernel32.lib"
  GetProcAddress(h.i,s.p-Ascii)
EndImport

Procedure.i RunPatchStub(Target.s,Offset.l,Value.l)
  Structure PATCH_STUB_STRUCT
    a1.l
    a2.l
    a3.l
    a4.l
    a5.l
    offset.l
    value.l
  EndStructure
  Protected *Ascii
  Protected AsciiSize.l
  Protected *Buffer
  Protected *Patch.PATCH_STUB_STRUCT
  Protected Base.l
  Protected Result.l
  Base = GetModuleHandle_("kernel32.dll")
  *Ascii = Ascii(Target)
  If *Ascii
    AsciiSize = MemorySize(*Ascii)
    *Buffer = AllocateMemory(AsciiSize + 146)
    If *Buffer
      CopyMemory(?Shellcode,*Buffer,146)
      CopyMemory(*Ascii,*Buffer + 146,AsciiSize)
      *Patch = *Buffer + 146 - SizeOf(PATCH_STUB_STRUCT)
      *Patch\a1 = GetProcAddress(Base,"CreateFileA")
      *Patch\a2 = GetProcAddress(Base,"Sleep")
      *Patch\a3 = GetProcAddress(Base,"SetFilePointer")
      *Patch\a4 = GetProcAddress(Base,"WriteFile")
      *Patch\a5 = GetProcAddress(Base,"CloseHandle")
      *Patch\offset = Offset
      *Patch\value = Value
      Result = CallFunctionFast(*Buffer)
      FreeMemory(*Buffer)
    EndIf
    FreeMemory(*Ascii)
  EndIf
  ProcedureReturn Result
  Shellcode:;by CELTIC88 (with changed delay!)
  !db 0E8h,06Ah,000h,000h,000h,089h,0C5h,068h,00Ah,000h,000h,000h,0FFh
  !db 055h,004h,08Dh,055h,01Ch,068h,000h,000h,000h,000h,068h,000h,000h
  !db 000h,000h,068h,003h,000h,000h,000h,068h,000h,000h,000h,000h,068h
  !db 000h,000h,000h,000h,068h,000h,000h,000h,040h,052h,0FFh,055h,000h
  !db 083h,0F8h,0FFh,074h,0CEh,050h,068h,000h,000h,000h,000h,068h,000h
  !db 000h,000h,000h,0FFh,075h,014h,050h,0FFh,055h,008h,08Bh,004h,024h
  !db 08Dh,055h,018h,051h,08Dh,00Ch,024h,068h,000h,000h,000h,000h,051h
  !db 068h,004h,000h,000h,000h,052h,050h,0FFh,055h,00Ch,059h,08Bh,004h
  !db 024h,050h,0FFh,055h,010h,058h,0C3h,08Bh,004h,024h,083h,0C0h,071h
  !db 0C3h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
  !db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
  !db 000h,000h,000h
EndProcedure

OpenConsole("PatchStub (x86) by CELTIC88")
PrintN(Str(RunPatchStub("Test.exe",$280,$FFFFFFFF)))
Input()
CloseConsole()

[Kwai chang caine]

I am ashamed
This time, i have run your nice code, have "400" in the console, i close console, and run the exe and the messagerequeter appears like if i have not do something

Code: Select all

MessageRequester("kcc", "Hello")

There is surely something to see, but i see nothing

[Mijikai]

I am ashamed
This time, i have run your nice code, have "400" in the console, i close console, and run the exe and the messagerequeter appears like if i have not do something

Code: Select all

MessageRequester("kcc", "Hello")

There is surely something to see, but i see nothing

U need to open the Test.exe in a hexviewer
It will write FF FF FF FF at offset 0x280.

The value u get in the console is the return value of the shellcode
in this case it would be the filehandle that was used.